And they're using an Extended Validation certificate from DigiCert for it
CN = nytimes3xbfgragh.onion
OU = Technology
O = The New York Times Company
Object Identifier (2 5 4 15) = Private Organization
along with some other addresses
DNS Name: nytimes3xbfgragh.onion
DNS Name: graylady3jvrrxbe.onion
DNS Name: *.graylady3jvrrxbe.onion
DNS Name: *.dev.graylady3jvrrxbe.onion
DNS Name: *.stg.graylady3jvrrxbe.onion
DNS Name: *.nytimes3xbfgragh.onion
DNS Name: *.api.nytimes3xbfgragh.onion
DNS Name: *.api.dev.nytimes3xbfgragh.onion
DNS Name: *.api.stg.nytimes3xbfgragh.onion
DNS Name: *.blogs.nytimes3xbfgragh.onion
DNS Name: *.blogs.stg.nytimes3xbfgragh.onion
DNS Name: *.blogs5.stg.nytimes3xbfgragh.onion
DNS Name: *.dev.nytimes3xbfgragh.onion
DNS Name: *.dev.blogs.nytimes3xbfgragh.onion
DNS Name: *.newsdev.nytimes3xbfgragh.onion
DNS Name: *.prd.nytimes3xbfgragh.onion
DNS Name: *.sbx.nytimes3xbfgragh.onion
DNS Name: *.stg.nytimes3xbfgragh.onion
DNS Name: *.stg.blogs.nytimes3xbfgragh.onion
DNS Name: *.stg.newsdev.nytimes3xbfgragh.onion
DNS Name: www.bestsellers.nytimes3xbfgragh.onion
DNS Name: www.homedelivery.nytimes3xbfgragh.onion
Sometimes I wonder if it's a good idea to brute-force these kinds of "vanity" onion prefixes. Take a look at the addresses used in http://incoherency.co.uk/blog/stories/hidden-service-phishin... ; they brute-forced the same prefix with a different suffix. Would anyone really notice?
If they didn't use vanity names, then people would only remember the first/last few random characters and the phishing scheme could very well still work, just it'd be less readable for visitors. I don't think we can assume that if all the characters were random they would remember them all better.
I don't think people would remember them better if completely random. Rather, I think if they're completely random, people might correctly assume they can't, and remain appropriately skeptical; if they include a vanity prefix, people seem likely to remember the vanity prefix and somewhat less likely to pay attention to the rest.
If you're that easily phished, why are you using TOR at all?
You aren't being attentive enough for high risk activities. You lack proper verification channels, to confirm authenticity, which matters in this context. You lack the situational awareness to proceed safely.
Admit that you might not be cut out for what it takes to maintain a secure posture on the internet, if that's what gets you. Just stop pretending to try.
What we need is some way for the vast majority of the population who are not nearly as good at security as you are and never could be, to be able to access such sites securely.
Oh, I'd hazard a guess that the media is well-educated, and handily equipped with an agenda similar to advertisers and marketers employing dark patterns and pervasive analytics.
And I never claimed I was good at anything. But I did intend to point out that with advanced persistent threats in the mix, and nation state actors operating with effectively unlimited resources, failing to notice the difference between two vaguely similar nonces (in a situation where it matters) is going to get you hanged, depending on what you're trying to fly below radar.
.onion addresses aren't resolved using the DNS system. So... no?
I guess in theory a browser _could_ support something like that, but it'd be pretty unusual. I also think the idea of relying on DNS to resolve a hidden service would defeat a lot of the privacy and security guarantees associated with those services, so I don't think any browser serious about security would implement something like that.
Would it make any sense to use something like tor.nytimes.com to redirect to their hidden service on the other hand? To allow people to be sure they're hitting the correct endpoint on Tor. If you're on TOR you typically have access to the rest of the internet, at least depending on setup.
An HTTP redirect is a completely different thing from a CNAME record in the DNS.
If you visit https://onion.nytimes.com/ and it sends you a 301 redirect to https://nytimes3xbfgragh.onion/ then yes, I'm pretty sure that'd work fine. However, if you perform a DNS lookup on `onion.nytimes.com` and receive in response a CNAME record pointing to `nytimes3xbfgragh.onion`, I seriously doubt the browser is going to respond to that by establishing a new Tor circuit to the named hidden service. Rather, it's most likely just going to do what every other DNS client does when it receives a CNAME record; it'll try to look up `nytimes3xbfgragh.onion` in the DNS. (And fail, because `.onion` is not a valid TLD in the regular DNS system.)
It is a bit silly considering you can trivially brute onion addresses consisting entirely of words.
I just generated "omen coins car hoof.onion" right now, in a couple of seconds, with my laptop CPU. With a couple of GTX1080s you could easily find some much better .onions than the ones NYT chose.
I'd be inclined to go for something bit shorter for this, perhaps just "times", but yeah.
Lets pretend we've got a $5000 budget.
Quick back-of-the-envelope math shows that a 8xGTX1080¹ box will be able to generate ~3 onion addresses beginning with "nytimes" every second, we can afford 6.25 months of this.
Instead of waiting a really long time, we'll rent multiple boxes and squeeze all that into one month. In that month our servers will find approximately 44055283.1 onion addresses beginning with "nytimes".
At least with the wordlist² I use, without a prefix I discover approximately one "good" onion per 8 million random onions. Considering we've got a 7 character prefix for our 44 million onion candidates, so I'd expect a significantly better rate than just 1/8000000
So yeah, in a month you'd probably find at least 5 "better" onion addresses.
Extended Validation certificate is when a company go to a CA and provide a bunch of business documents and legal proof that they really own the company behind a name. Its not a technical aspect but human lawyer <-> human lawyer that establish a certificate. At the end if the validation is successful, the company get a technical signed document that in browsers shows up as a green lock and the name in green next to the URL.
> you now know that the website you want is actually who they say they are?
That's the idea. Of course, validation, while more thorough than for standard certs, still is not that reliable. My strong impression is that it could be fooled by anyone sufficiently motivated.
Not only that - in practice it's kind of meaningless, because if you were served a non-EV cert, you wouldn't notice. And there's usually other domains or subdomains that don't use the EV cert. It's mostly just a kind of token gesture by a business to claim they're more secure.
On a somewhat related topic, I worry a lot about things on the internet disappearing, most often simply due to neglect (domain expiry, companies being bought, et c.) I try to save everything I can that I find interesting, in fear of it never being available again.
That said, it makes me very happy to see emails from 1987 archived online--so happy that I've even saved a copy.
I was one of the 743 people who received his rwall and immediately send him a message (which I've since lost) flaming about the evils of Sun RPC (and promising a longer flame). I saved his reply and some old email about it from the hackers_guild and tcp-ip mailing lists.
IIRC, the flame probably would have touched on the fact that among Sun RPC services, rcp.rwalld was hardly the worst offender: Sun's NFS rpc.mountd demon trusted the client's word on what its hostname is (it was passed from client to server as a parameter to the mount RPC call -- the server didn't check the ip address!), in order to authenticate the client's permission to mount a directory!
That's right, you actually could mount any NFS directory by going "hostname <hostname known to be in server's /etc/exports> ; mount server:/directory /mnt ; hostname <previous host name>". And you could usually use the equivalent of "tftp server:/etc/exports /tmp/server_exports" to discover a trusted hostname to use, because Suns were set up like that by default, out of the box!
Date: Tue, 31 Mar 87 12:02:53 PST
From: jkh%violet.Berkeley.EDU@berkeley.edu (Jordan K. Hubbard)
To: don@tumtum.cs.umd.edu
Subject: re: flame flame flame
Thanks, you were nicer than most.. Here's the stock letter I've been
sending back to people:
Thank you, thank you..
Now if I can only figure out why a lowly machine in a basement somewhere
can send broadcast messages to the entire world. Doesn't seem right
somehow.
Yours for an annoying network.
Jordan
P.S. I was actually experimenting to see exactly now bad a crock RPC was.
I'm beginning to get an idea. I look forward to your flame.
Jordan
----
Jordan's rwall scribbled all over Dennis Perry's Interleaf windows (who Jordan incorrectly referred to as the Inspector General of the ARPAnet in the Pentagon, and who was "absolutely livid" and threatened to cut off UCB's ARPANET access). Things were pretty wide open back then, and Jordan's "little incident" really stirred up a hornet's nest!
There were some interesting followups from heavy duty dudes like Milo Medin and Dennis Perry on the h_g/tcp-ip mailing lists:
From: Milo S. Medin <medin@orion.arpa>
Actually, Dennis Perry is the head of DARPA/IPTO, not a pencil pusher
in the IG's office. IPTO is the part of DARPA that deals with all
CS issues (including funding for ARPANET, BSD, MACH, SDINET, etc...).
Calling him part of the IG's office on the TCP/IP list probably didn't
win you any favors. Coincidentally I was at a meeting at the Pentagon
last Thursday that Dennis was at, along with Mike Corrigan (the man
at DoD/OSD responsible for all of DDN), and a couple other such types
discussing Internet management issues, when your little incident
came up. Dennis was absolutely livid, and I recall him saying something
about shutting off UCB's PSN ports if this happened again. There were
also reports about the DCA management types really putting on the heat
about turning on Mailbridge filtering now and not after the buttergates
are deployed. I don't know if Mike St. Johns and company can hold them
off much longer. Sigh... Mike Corrigan mentioned that this was the sort
of thing that gets networks shut off. You really pissed off the wrong
people with this move!
Dennis also called up some VP at SUN and demanded this hole
be patched in the next release. People generally pay attention
to such people.
From: Jordan K. Hubbard <jkh@violet.berkeley.edu>
Well, I hope Sun patches the holes, Milo. I'm sorry that certain people chose
to react as strongly as they did in our esteemed government offices, but
I am glad that it raised enough fuss to possibly get the problem fixed. No
data was destroyed, lost, or infiltrated, but some people got a whack on the
side of the head for leaving the back door open. I'm not sure I can say that
I'm all that sorry that this happened. rwall is certainly going to change on
my machines, I can only hope that people concerned about being rwall'd over
the net will tighten up their RPC. Those that don't care, should at least be
aware of it.
From: Dennis G. Perry <PERRY@vax.darpa.mil>
Jordan, you are right in your assumptions that people will get annoyed
that what happened was allowed to happen.
By the way, I am the program manager of the Arpanet in the Information
Science and Technology Office of DARPA, located in Roslin (Arlington), not
the Pentagon.
I would like suggestions as to what you, or anyone else, think should be
done to prevent such occurances in the furture. There are many drastic
choices one could make. Is there a reasonable one? Perhaps some one
from Sun could volunteer what there action will be in light of this
revelation. I certainly hope that the community can come up with a good
solution, because I know that when the problem gets solved from the top
the solutions will reflect their concerns.
Think about this situation and I think you will all agree that this is
a serious problem that could cripple the Arpanet and anyother net that
lets things like this happen without control.
dennis
———
From: Jordan K. Hubbard <jkh@violet.berkeley.edu>
Dennis,
Sorry about the mixup on your location and position within DARPA. I got
the news of your call to Richard Olson second hand, and I guess details
got muddled along the way. I think the best solution to this problem (and
other problems of this nature) is to tighten up the receiving ends. Assuming
that the network is basically hostile seems safer than assuming that it's
benign when deciding which services to offer.
I don't know what Sun has in mind for Secure RPC, or whether they will move
the release date for 4.0 (which presumably incorporates these features)
closer, but I will be changing rwalld here at Berkeley to use a new YP
database containing a list of "trusted" hosts. If it's possible to change
RPC itself, without massive performance degradation, I may do that as well.
My primary concern is that people understand where and why unix/network
security holes exist. I've gotten a few messages from people saying that
they would consider it a bug if rwall didn't perform in this manner, and
that hampering their ability to communicate with the rest of the network
would be against the spirit of all it stands for. There is, of course, the
opposite camp which feels that IMP's should only forward packets from hosts
registered with the NIC. I think that either point of view has its pros and
cons, but that it should be up to the users to make a choice. If they wish
to expose themselves to potential annoyance in exchange for being able to,
uh, communicate more freely, then so be it. If the opposite is true, then
they can take appropriate action. At least an informed choice will have been
made.
Yours for a secure, but usable, network.
From: Dennis G. Perry <PERRY@vax.darpa.mil>
Jordan, thanks for the note. I agree that we should discover and FIX holes
found in the system. But at the same time, we don't want to have to
shut the thing down until such a fix can be made. Misuse of the system
get us all in a lot of trouble. The Arpanet has succeeded because of
the self policing community. If this type of potential for disruption
gets used by very many people, I guarentee that we all will not like the
solution or fix proposed.
Why do we think a lawyer would be less likely to be duped? If they are relying on physical paper and pen signatures...aren't those all incredibly easy to fake?
You get a green bar to know you're connecting to the NYT and the cert is issued for many additional addresses showing large coverage of their services and hinting at future use.
EV certs provide more than just encryption that a DV (domain validation) cert provides. DV just checks to make sure the domain is under control of whoever is asking for the cert.
EV ensures that the entity (person, corp, org, whatever) is in fact in control of the domain and is who they say they are.
Worth noting that a lot of the arguments in this article change when you're talking about Onion services.
Notably, Onion services tend to have URLs that are _very_ difficult for humans to remember (they're essentially just gibberish), and they're anonymous by default, meaning without an EV cert there's no easy way to check whether the service you're visiting is legitimate or not.
DV certs are also pretty useless for Onion services, since your connection is already encrypted and authenticated by Tor.
EV is mandatory for .onion HTTPS certificates - since onion hashes (the 'domain name') are even less meaningful as a form of identity than regular domains.
This is incorrect. Onion domain addresses already provide the same level of confidence as a DV certificate, because they are a public key of the server you are connecting to. There would be no additional value in issuing a DV certificate for an .onion domain.
Yes, but how do you know that you are actually connected to nytimes3xpfgragh.onion each time? DV lets you know that the onion site you connected to is the NYTimes, and not a privacy-attacking MITM site.
Did you notice that I changed the nytimes URL a tiny bit up there? nytimes3xbfgragh.onion is the real one. (Yes, there's no guarantee that someone else would be able to generate a specific alternate address, but one that also starts with nytimes is probably possible for a well-resourced attacker.)
The public key is encoded in the onion address, so the client can verify the server you connect to has the matching private key. This is part of the tor protocol, so happens always when talking to onion services.
Onion domains are a form of content addressing based on public key pairs. Normally onion domains aren't that readable as the nytimes one and look more like a bunch of random letters. (All nytimes did was generate many million key pairs until they found one that looked cool.)
If you fetch web pages from http://abc123.onion you bascially tell tor "connect me to whoever holds the certificate with fingerprint abc123". Any domain validated certificates on top of that is superfluous since you already know which certificate you are talking to. What you don't know is who holds it. This is where organizationally validated certificates can help.
It is. Overlay networks has a very expensive overhead, but it is one of the few ways that networks can be updated to modern views on security threats and privacy without getting ISP to change their hardware and software. I am in particular hopeful that we might see a future where tor will simply be a available tool in the general network stack, enabling private end-to-end without exist nodes.
> People wanting to access NYT site via Tor, can just navigate to https://www.nytimes.com/ and it'll be significantly faster than the .onion equivalent.
This isn't true, exits are currently in short supply. And onion services don't use exits, so it will result in a faster speed, especially since they may have made it as a single onion service[1].
Does the onion service still serve the same advertisements their website and mobile app do?
If so, they're leaving their users-who-want-to-stay-relatively-anonymous open to attack via the advertisement vector. Members of that group would be considered high-value targets simply due to their anonymity desires.
I can't see the number of daily users being large enough that they'd lose significant profit by closing that attack vector. Hell, if there was a way to pay NYT enough to disable ads on all their services, I'd do it.
How can I get first party isolation in regular chrome or firefox? That is exactly what I've been imagining/wanting since Firefox announced their new container prototype.
Thank you. I am excited for all the ways this is going to break the web for me, but this is exactly what I wanted. Maybe someday this will be on by default for everyone. Can you imagine?
In firefox: about:config -> privacy.firstparty.isolate = true
Note that containers provide similar functionality but in a less rigid manner. On the other hand first party isolation has the advantage that it also applies on navigation within a single tab while containers are fixed within a single tab. Currently neither is a superset of the other. If bug 1323873 [0] gets implemented then containers + some scripting by extensions could act as a superset of first party isolation.
I am curious about this as well. Tor is anonymous insofar as individual entrances and exits cannot be monitored. The advertising and other tracking pixels that would riddle something like the NYT site makes me think this is how some uncareful kingpin will fall, checking the op-eds.
Can't the nodes be compromised? I've eschewed using it as USG is purported to have taken over entrance and exit nodes using a combination of threats and bribery.
In order to fully compromise your privacy, the government would need to have control of _all nodes_ in your path, not just the entrance and exit nodes. (They _might_ be able to deanonymize some users by using traffic correlation using only entrance and exit nodes, but that is by no means a straightforward process.)
Tor also gives you a way to choose a specific exit node based on the country it is in, but I have no idea how reliable that is.
It is worth noting that with hidden services no exit nodes are required, since your traffic's final destination is running its own Tor-compatible node.
as Ajedi32 states, even knowing entrances and exits, it is SUPRHARD to figure out all the associations, but it has been done in the past for high profile sites. It is also not possible for them to monitor every entrance and exit, and it is akin to watching the entrances to a mall where everyone is dressed exactly the same, trying to identify who shops where. With one-off data, really hard. With regular or periodic data, the mystery is a lot easier to unravel.
I was asking because I'm currently nowhere near a system that I'd trust for this purpose. I'll be near one later and, if you're interested, I'll update the question with my findings.
There exists a system that you wouldn't trust to provide a good-enough answer to the question "Does the onion service still serve the same advertisements their website and mobile app do?" ?
What do you think an untrustworthy system is doing that would make it give a not-good-enough answer?
That's a clever question and the answer has a few parts, mostly due to the slipperiness of "trust" as a concept: I wasn't specific enough in my description of my own threat model (which makes sense, as my aim wasn't to explain the threat model but to cultivate answers from other folks). In short, I currently only have access to systems that are too costly to replace, if the site is under active attack. That's not to say that HN's comment section isn't also a risk, but it seems less of one.
I considered these actors before deciding to ask the question instead of immediately connecting directly: available computer systems, internet pipes, the NYT website, and the bevy of third party ad-services hosted through the website.
Not all entry points do the most paranoid thing, and not options are even available on all entry points.
The Tor Browser Bundle (desktop) has different defaults than Orfox (phone), and I think both will connect to non-onion URLs when connecting to an onion site. Same for JS, ad-block, etc.
Well there's meek-amazon[1] which seems to work there. Also I remember I talked last months to some guy on irc at #tor who was using some obfs4 bridges successfully in China. There's also another pluggable transport named Snowflake[2] where everyone can become a bridge by just running some JS in their browser, which may prove to be a good solution (it doesn't work yet in China since it uses Google for domain fronting).
What's the point of making it available in the Tor network if their onion site includes a script from www.googletagmanager.com (or an "iframe" if scripting is disabled) thus making it significantly less anonymous?
Onion websites should be isolated and should not initiate any connections to vanilla internet.
Edit: it also loads scripts from www.google.com, tags.bluekai.com, cdn.optimizely.com...
Haven't tested to see how they are doing, but that's kinda orthogonal to using tor. Standard cryptography like https uses is meant so any eavesdroppers don't know WHAT you are talking about. But they still know that Alice is talking with Bob. Onion routing, that tor uses, is meant to so eavesdroppers also don't know who is talking to whom. But that's on the eavesdroppers part. If Alice and Bob are talking completely privately, it's completely fine if they are exchanging all the information they want between themselves. The big idea is that attackers don't know what you are doing.
Tor can also hide where Bob's servers are, but not sure if the New York Times would need that bit.
The two things are not directly dependent: for instance, Facebook allows you to connect to your account through Tor. You still have a separate individual authentication (email & password, 2FA) once the connection is established. I believe I have a paying NYT account so I might try if you are interested.
It’s possible that Tor makes it harder to enforce the rule that you can’t read more than X articles per month (which I believe is enforced using cookies and your IP address) but at this early stage, I’m not sure that’s key: people who know how to use Tor generally can easily go around that limitation on https.
If too many people use that loophole to read without a subscription, that means NYTimes would have been instrumental in making Tor mainstream. That would be a major achievement in itself. Enforcing similar consumption limits through Tor would probably be rather experimental, but sounds hardly difficult (especially with the goodwill NYTimes would have most likely gained from Tor developers & supporters).
> It’s possible that Tor makes it harder to enforce the rule that you can’t read more than X articles per month (which I believe is enforced using cookies and your IP address) but at this early stage, I’m not sure that’s key: people who know how to use Tor generally can easily go around that limitation on https.
Their current X (which I think is 10) articles per month limit is enforced via cookies. If you're like me and have your browser set to automatically clear all cookies and persistent state on close, you never even notice it exists.
There you login like normal. Tor can be used to hide from the website owners, and from the network owners between you and the website. If you don't mind that the website knows who you are, you login and identify yourself to them, without letting the network know what you do.
They show the countdown of remaining articles but they have virtually no way of identifying your browser over Tor so all you need is clear cookies and continue to browse anonymously.
That would still contradict anonymity though. They can't track users by IP address or cookies (if Tor browser is used... it is transient for the session) and having people register means they are likely have to come out of anonymity. If they do manage to register one from anonymous throwaway address, then it essentially make paywall moot...
A hidden service is set for information can not be safely presented on the public Internet. Like what The Daily Stormer did.
If one just wanted to bypass blocking or hide himself from evil third parties, he could just use tor browser to open NYT's regular domain instead of the hidden service domain, no?
Onion services are faster on Tor, since you aren't limited by the bandwidth of the exit nodes.
There are also some security benefits, since connections to hidden services are automatically encrypted and authenticated, no HTTPS or trust in Certificate Authorities required (though HTTPS with EV certs can still be useful for identification purposes).
There are no “easy” onion URLs. They are essentially random (hash of a key iirc). It’s possible to generate random URLs until you get a prefix you like, but the time it takes increases exponentially with length of the desired prefix.
I recall that Facebook brute forced their way into having an onion url that was easy to remember, by generating millions of them and then picking one that was simple.
That's clearly what the New York Times did as well (though probably with far less compute time than Facebook). nytimes3xbfgragh.onion is the easy to remember name they were able to generate.
I found blockchainbdgpzk in just under 3 days. It was the sixth blockchain* address I found.
I ran 3x 4 GPU cloud instances on AWS on the old Teslas - which aren't very fast at SHA. IIRC it was doing 15GH/s total
Today you can get ~7GH/s on an Nvidia 1080 so you should be able to find an all-alpha 10 char onion in about a week.
The new cards and some of the password cracking rigs (i'm building a new one now) are able to do SHA1 so quickly that they're a real threat to generating phishing addresses for onions - which is why the DigiCert certificates are required
TimesOpen is an engineer-driven blog. Its previous incarnation was self-hosted on a WordPress stack (separate from our main CMS), but for various reasons it was decided to re-platform.
There were many discussions before settling on Medium and alternatives were considered (such as dogfooding our own CMS). We have a lot of work in-flight to modernize and simplify our publishing stack, and the timing wasn't right to rely on internal tools to publish a new blog.
It's the real IP address of the service that's hidden, not necessarily its Onion address. In theory, there's no reason `.onion` links couldn't be crawled and indexed by search engines the same way any other website is.
Although there's a risk to using onion directories, since you have to trust that the hash they give you for the New York Times for example, is actually the real hash. It's easier to spoof onion hashes than domain names since domain names are more well known. You'd hopefully catch that you're connecting to nytim3s.com, not so much nytimes3xbfgra3h.onion.
EV certs can help with this to some extent. For example, the New York Times is using an EV cert with the organization name "The New York Times Company" for their hidden service. So as long as you trust the CA system, you can be certain that you're talking to a server operated by The New York Times, and not just a copycat.
Err... does the tor site still have the 10 views a month for free limit? Are tor users supposed to subscribe to NYT - that will surely blow through any privacy you hope to achieve.
From the /r/tor thread System33 posted a comment[0] originally by Alec Muffet explaining why Facebook set up a TOR service, which may answer some of your questions:
Why would anyone run a legal onion service?
Thanks Alec Muffett (OP) for the following summary copied from this comment
Understandably folk tend to think "Anonymity!" when talking about Tor Onions, but in rolling out the Facebook onion we established several clear benefits:
1. better and safer experience for people accessing over Tor: no interference by exit nodes, no bandwidth-contention for exit nodes, no use of exit nodes at all.
2. "good neighbour" - reciprocally, popular sites can unload themselves from eating up scarce exit-node bandwidth.
3. "a peace offering" - people (continue to) use Facebook over Tor; 3 years ago we saw 500,000/month, more recently ~1 million. Overwhelmingly we found (through measurement and assessment) that people using Facebook over Tor were ordinary folk wanting to do ordinary things. especially in times of political crisis. Providing a metaphorical "olive branch" showed that we value their use of the site.
4. Discretion & Trust. Onion Sites are considered to be about "Anonymity", but really they offer two more features: Discretion (eg: your employer or ISP cannot see what you are browsing, not even what site) and trust (if you access facebookcorewwwi.onion you are definitely connected to Facebook, because of the nature of Onion addressing; no DNS or CA shenanigans are applicable.)
Is this mainly intended for people from non-western countries who need a channel for free speech? Because apart from that I see no point in FB offering an onion service. If anonymity, discretion and trust are what I am looking for than surely FB itself is one of the least appropriate platforms for me.
>The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
Allowing readers to choose which security and privacy advantages they want. If I want privacy and security, I'll choose the onion service. If I want security only, I'll take the HTTPS road only.
For a publication that openly supported the Iraq war and all the suffering that entailed for innocent civilians, its kinda funny that they're suddenly all concerned about people's rights.
The Times has been blocked repeatedly, maybe even semi-permanently, in China. It gets blocked in other countries too, IIRC.
In the U.S., the Times published Chelsea Manning's leaked State Dept documents, it broke the story on Hilary Clinton's email sever, it reported the Wikileaks' DNC emails for months up to the US presidential election, and now it aggressively goes after Trump. While it's imperfect, I don't see which part of the establishment it so strongly supports.
>While it's imperfect, I don't see which part of the establishment it so strongly supports.
The State Department. NYT is vital in fabricating the history of conflicts and internal problems that have ever affected the United States.
to name a few : Syria, Iraq, Afghanistan, the War on Drugs, the Indochina wars, Cuba, Mexico, outside-of-country extradition, continual abuse and outright breaking of UN laws and sanctions, etc.
That's not even mentioning their (the NYT) history of character assassination with regards to civil rights leaders, activists, authors, speakers, and alternative thinkers.
...OR you get the Chomsky treatment, and they pretend that you don't exist for a few decades.
I didn't bother with citations, there are plenty to read through with just a cursory search engine query, but since I already invoked the name of the beast, i'll let him tell you about NYT[0].
NYT's is systematically biased in who or what it chooses to illuminate for the public to digest. Don't be surprised when they do good by you -- it's all character building -- just like this news that they're embracing tor.
.onion is not for sites being blocked in China, you can just use tor and access the nytimes.com web site from there. .onion is for websites that get their domain confiscated by their domain providers or the feds, very unlikely to happen to the NYT. See what happened to sites such as the pirate bay or more recently the neo-nazi site dailystormer https://en.wikipedia.org/wiki/The_Daily_Stormer#Site_hosting...
I think it's more that he'd prefer that the media didn't cite "unverified" dossiers that they sourced from Buzzfeed [0], which were produced by a source with ties to the DNC [1][2].
notably: it's not the GOP the organization that initial funded the oppo, but a private news org with conservative leanings. and the FBI did not fund the dossier, but were provided it during its creation. (side note: who cares)
When it comes to corroboration: I would think the special investigation is good enough evidence that the claims of Russian cooperation are being taken seriously, no? Significant is a weasel word but there is actual smoke here.
>I would think the special investigation is good enough evidence that the claims of Russian cooperation are being taken seriously, no?
How would you tell the claims being taken seriously from the investigators trying to use the legal system to get dirt on Donald Trump?
At this point, the investigation has been ongoing for around 10 months, and currently they've only found anything on Paul Manafort, who was Trump's campaign manager for a few months.
The charges against Manafort are essentially failing to disclose lobbying for foreign agents, tax evasion, and money laundering [0]. The lobbying was done while Manafort was working for the Podesta Group, which was founded by Hillary Clinton's campaign manager [1].
On a side note, I find it interesting how Wikipedia doesn't have any information on Manafort's involvement with the Podesta Group.
> I'd agree here. There's no reason to discuss politics on HN when there are numerous other places to do so.
HN is a forum about technology and the startup world, let's keep it about that.
The reason most political stories aren't a good fit here isn't that they aren't about tech or startups (both tech and startups overlap with politics quite a bit). It's because they inevitably lead to battles that destroy what HN is for. We can't be both, the same way a park can't be a war zone.
> "Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer."
What's your working definition of "mainstream news outlet"? I can't think of a reasonable one that precludes them from broadening their reach. And given their size, they are more likely to have the resources to do so.
Also, there are large populations where network monitoring and/or content restrictions are part of everyday life. The New York Times experienced this directly with respect to their iOS app in China.
Edit to add: To turn it around, why shouldn't the NYT do this? That isn't snark: I'm interested in hearing substantial reasons for the skepticism implicit in 'pbarnes_1 original question. Granted, I haven't read all of the comments for this submission, I haven't seen any that convincingly argue this isn't a useful thing.
> What's your working definition of "mainstream news outlet"?
A news outlet with a "one size fits most" attitude. That is, they offer a product which caters to people who could be described as "average". Typically companies focus their energy only on (potential) customers, not those who aren't a good fit for the product in the first place. There probably are more profit-promising people out there for the NYT than those who are somewhat crypto-nerds. They don't like clicking ads, some may even feel uneasy using typical payment methods to buy a subscription.
> Also there are large populations where network monitoring and/or content restrictions are part of everyday life.
Comical how? Check out their tech blog[0]. I'd venture a guess that they are the most technically adventurous news site, if not one of the more open corporations around in regards to trying new technology and writing about the experience. A lot of what they have to say is pretty interesting.
Disable Javascript. Enabling it makes you traceable. Run a Temporary profile in Firefox - otherwise cached images will make you traceable. Connect from your neighbors wifi (the further from your home the better, really) with a spoofed MAC address running from a write-locked USB live distro - this ensures you're protected from the unknown unknowns.
Or just use the Tor Browser - ideally with the High security setting. Other browsers don't have the same anti fingerprinting and first party isolation defenses.
Tor crypto guarantees an E2E connection to an entity possessing a key which matches the onion address which you sought to access. That's a benefit over DNS/TCP/BGP :-)
Its not secure. "Everyone" knows that. Everytime a drug market is taken down or a pedophile ring is busted, the investigators from FBI always claim it was some dubious mistake from the admin whic lead to it. But we all know they have discovered a vulnurability in the TOR protocol but won't disclose it.
Safe browsing guys
//edit: if you want extra security. Launch TOR from a remote desktop. And I am not talking about the ones you buy from known VPN providers like NordicVPN or amazon web services.
I guess I'm not everyone. I'd bet that the majority of the 'busts' are due to:
a) Infiltrating chats where people are more likely to share sensitive information / trust the people they're talking to
b) Poor configurations/ setups on either the client or server (client browser bundle has noscript, but it's not on the strictest settings, js is enabled iirc)
c) Exploitation of client or server due to out of date versions, things like that
Historically I think it's always fallen into one of these cases - and not just what the FBI etc say publicly but we've seen these exploits ITW. I wouldn't be surprised if the NSA and other agencies have the power to deanonymize TOR users but if it were trivial why is the majority of TOR traffic still going towards illegal content? Last I read (a paper a year ago) TOR is still primarily all about drugs, followed by child pornography (mostly drugs though iirc). If they can track all of these people by breaking TOR completely... why don't they?
Basically, he posted to stack Overflow using his own name and email address with code that was Silk Road was using. He quickly changed his username, but it was too late.
You don't need anything that isn't already publicly available: see every security bug reported on the mailing list, and reliable hop tracing via coordinated parties recording traffic (Tor's version of Bitcoin's 51% problem).
That said, it's still the most reliable limited-anonymity provider I know of.
> //edit: if you want extra security. Launch TOR from a remote desktop. And I am not talking about the ones you buy from known VPN providers like NordicVPN or amazon web services.
No, if you want extra security use Qubes OS with Whonix (it comes with it by default) for isolating the Tor process in a single VM and the browser in another - thereby prohibiting any leaks, unless an adversary has a VM escape RCE.
>But we all know they have discovered a vulnurability in the TOR protocol but won't disclose it.
Really? Perhaps you could explain how every single one of us found out it is true? Maybe every single one of us has a friend working in the NSA who was willing to tell us, even though he could go to jail for giving away such a secret?
